Security of entanglement-based quantum key distribution with practical detectors 
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We prove the unconditional security of an entanglement-based quantum-key-distribution protocol 
using detectors that respond to multiple modes of light and cannot distinguish between one from 
two or more photons. Even with such practical detectors, any defect in the source is automatically 
detected as an increase in the error rate or in the rate of double clicks. 

PACS numbers: 



The idea of using quantum entanglement for absolutely 
secure secret communication was first proposed by Ekert 
[l|, followed by a proposal of a modified quantum- key- 
distribution (QKD) protocol (BBM92) by Bennett et al. 
[2]. When ideal apparatuses are used and the source is 
possessed by a legitimate user, the BBM92 protocol is 
equivalent to the BB84 protocol [3], which does not use 
an entangled source. On one hand, this property has lead 
to a powerful security proof [4] based on entanglement, 
which is applicable to prepare-measure protocols such as 
the BB84 protocol A] and the B92 protocol 0, 0, Q- 
But on the other, the equivalence may have discouraged 
the use of an entangled source in an actual setup if the 
same function is available without the trouble of generat- 
ing entanglement. In fact, a huge advantage of actually 
using an entangled source shows up when we take de- 
fects in the source into account. Defects may arise from 
limitation on technology, and in the BB84 protocol they 
raise new threats on the security such as the photon- 
numbcr-splitting attack [g]. Even worse, in long-distance 
communication a source must be placed at an insecure 
relay station and hence its property cannot be trusted 
anymore. The entanglement-based protocol such as the 
BBM92 protocol provides a unique property in this sit- 
uation. Since the protocol is based on testing a strong 
correlation unique to the entanglement, we may expect 
that any defect in the source will be revealed as a degra- 
dation of the correlation. 

An important question at this point is what kind of 
detection apparatus is required to realize such a built- 
in mechanism for detecting the defects in the source. It 
would surely be a disappointment if we were forced to use 
an ideal detector for such a purpose. So far, it has been 
shown [3] that it is sufficient if one of the two parties 
have a detection apparatus with a so-called squashing 
property [lO|, that is, equivalence to a noisy quantum 
channel followed by an ideal BB84 measurement on a 
qubit. It is expected that a practical detection apparatus 
(as in Fig. 1) with two threshold (on/off) detectors will 
satisfy the squashing property if we assign a random bit 
whenever both detectors have clicked. Based on this con- 
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FIG. 1; Schematic of the setup for the BBM92 protocol. 



jecture, practical benefits of the BBM92 protocol, such as 
placing the source in the middle to achieve a larger com- 
munication distance, were discussed ll| quantitatively. 
But the proof of the conjecture remains open, leaving an 
unsatisfactory situation that the BBM92 protocol, being 
one of the basic QKD protocols with many experimental 
demonstrations |12l . ll3L Il4l . Il5l | , still requires an assump- 
tion in the detectors for its security. 

In this paper, we prove the unconditional security of 
the BBM92 protocol with practical threshold detectors 
which cannot distinguish between one photon from two 
or more, and cannot single out a single optical spatio- 
temporal mode either. Instead of proving the squashing 
property, we adopt a protocol in which the double-click 
events are simply discarded. The proof is based on a 
simple inner-product formula for the basis states, which 
shows that the parity of the number of incident photons 
has an important role. Eve can carry out a powerful 
attack by distributing odd and even numbers of photons 
to the two receivers. The security is essentially obtained 
by monitoring the bit-error rate and the double-click rate 
to watch out for the possibility of such an attack. 

The protocol considered here is the BBM92 protocol 
with the detection apparatuses shown in Fig. 1. For each 
event, Alice randomly chooses between the Z basis and 
the X basis using a wave plate placed before the polar- 
izing beam splitter (PBS). In the Z-basis measurement, 
horizontal (H) and vertical (V) polarization components 
are split at the PBS and sent toward two threshold detec- 
tors corresponding to bit values and 1 . In the X-basis 
measurement, the ±45° polarizations {D±) arc split in- 



stead. Alice publicly announces whether she detected 
photons, and if so, she also announces whether both of 
the detectors clicked (double clicks). Bob follows the 
same protocol as Alice. The bit values are registered 
only when both parties have detected photons, but nei- 
ther party has seen double clicks. 

As usual, we assume that non-unit efficiency and dark 
counting of the detectors can be equivalently described by 
a noise source in front of the detection apparatus. This 
is satisfied, for example, if two detectors with matched 
efficiency are used and their roles are switched randomly. 
Hence, here and henceforth, we treat each detector as an 
ideal threshold detector that clicks when it receives one 
or more photons. 

Let A^ be the number of events where both Alice and 
Bob detected photons and their basis choices were the 
same. In principle, the number of photons (riA > 1) 
incident on Alice's apparatus can be determined for each 
event, since this observable commutes with Alice's actual 
measurement. The same goes with Bob's photon number 
TiB > 1 . Accordingly, the A^ events are classified into N^ 
'multi-photon events' satisfying UA+ns > 3 and A^(l— ^) 
'single-photon events' with ua = nB — 1. Among the 
A'^^ multi-photon events, suppose that N^Sm events were 
discarded due to double clicks, and N^e^ events showed 
bit errors, namely, different bit values were registered by 
Alice and Bob. The single-photon events should have no 
double clicks, and suppose that they include A^(l — ^)ei 
bit-error events. Whereas the parameters (^, i5m, fm, ci) 
are all measurable in principle, the actual setup does not 
reveal {ua, ns) and hence only tells us the overall double- 
click fraction S and a good estimate of the overall error 
fraction e, which are related to (^, Sm, Em, ei) as 
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From the N events, Alice and Bob produce sifted key of 
length A^(l — S) with a quantum bit error rate (QBER) 
e/(l — S). For simplicity, we assume that the error 
correction is done by encrypted one-way communica- 
tion from Alice to Bob by consuming the previously 
shared secret key of length N{l — S)fH{e/{l — 5)), where 
H{x) = — a;log2 x — {1 — x) log2(l — x) and / > 1 rep- 
resents the inefficiency in the practical error correction 
schemes. The reconciled key is further shortened by Nt 
to amplify the privacy, where r is determined from the 
observed values {6, e). The fraction i?koy of the final key 
(normalized by N) is thus written as follows, 

i?kcy - (1 - <5) [1 - fHie/il - S))] - t(J, e). (3) 

In the limit of large N, the final key is secure if 

T{6,e)>{l-0H{e,)+ai-S„,) (4) 

holds for any attack by Eve, because the right-hand side 
is given by the argument by Gottesman et al. 'lCl| with a 



pessimistic assumption that Eve perfectly knows Alice's 
bit value in multi-photon events. One might expect that 
the use of multi-photons inevitably leads to bit errors 
Cm > and double clicks dm > 0, but it turns out that 
either value can be zero by choosing a suitable state. But 
Eve cannot make both of the values to be zero at the 
same time. In what follows, we determine this trade-off 
relation and determine T{S,e) satisfying Eq. (j4|). 

Let us first suppose that Alice (or Bob) receives n pho- 
tons in a single spatio-temporal mode. Let \Q, n) be the 
state with n photons in the same polarization Q, namely, 
Q,n) = (n!)"^/^(aQ)"|i;ac) with aq being the photon 
annihilation operator for polarization Q. On the Z-basis, 
the outcome corresponds to the projection to the state 
|0lj"^) = |iJ,n), and 1 to the state lll."^) = \V,n). The 
other n — 1 orthogonal states correspond to the double 
clicks. On the A-basis, the outcomes and 1 correspond 
to the states jot'^) = \D+,n) and |1^^) = \D-,n). Us- 
ing aD± — 2^^'"^ (an ± ay), we obtain a relation vital to 
our discussion, 



(4')|4")) = (_i) 
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(5) 



We can show that this relation is unaltered even if n 
photons are distributed over multiple modes. In such a 
case, the photon numbers ni,n2, . . . in each mode can 
be measured in principle. For fixed values of {uj}, the 

state |0^ ) is given by \H,ni)\H,n2) ■ ■ ■ , and so are the 
other three states. Noting that ^ Uj = n, one can see 
that the inner products are still given by Eq. ([5]). The 
only difference is the dimension d = n("i + 1) of the 
state space, but it does not affect the argument below, 
in which only Eq. fS]) is used. 

When n = 21 + l{l ^ 1,2,...), Eq. (O reads 



, (21+1),, 1(21+1) ~^ 



^(l)|^,'(l)\o-^ 



(6^'"''>^""''0 = (bx'lb'z')^''^ which leads to a clear 
physical interpretation. Since the dimension d is even, 
the state space Ti.A can be identified with a combined 
system Ha' ^ "Ha" of a single photon (qubit) A' and an 
ancilla A", with the relations 
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A"{W = Z,X), 
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(6) 

(7) 



which preserve the inner products ([5]). Hence for an odd 
number of incident photons, Alice's measurement can be 
regarded as an ideal BB84 measurement on a qubit A' , 
except that the outcome is overridden by the occurrence 
of double clicks that is determined by a basis-dependent 
measurement on the ancilla A" . On the other hand, for 
even numbers we have a constant inner product 



{bf\h 



/(20\ ^ 2"' 



(8) 



which has no simple connection to a qubit. 

Now let us derive a trade-off relation between {5rm £m)- 
For the moment, we consider the attacks using only a 



single combination of {ua, tib)- For each event, the mea- 
surement operator i^err for having a bit error and i^cor for 
sharing the same bit value are given by 

W=X,Zb=0,l 

Feor = 2-1 E E Pi\b\;^^^)A\b^w"^)B), (10) 

W=X,Zb=0,l 

where P(|-)) = |-)(-|. l — Fcor — -F'ci.i. corresponds to double 
clicks. Let us write an expectation value of observable O 
as {0)p = Tr(Op). If r((i^eor)p, (-F;rr)p) < holds for any 
state /5, the probability of (Srm^m) to be deviated from 
the region rfl — S^ — irm^m) < is exponentially small 
for large A*" [y, ll6[. In what follows, we consider the limit 
N ^ oo and ignore such rare possibilities. We divide the 
argument according to the parities of {iia, ns)- 

i) Odd-odd, ha — 21 a + 1 and ub ~ 21b + 1 with 
Ia + Ib > 1. From Eqs. ^, ^ and ^ with Pw = 
F(l0ll/"^>A"|0l!f^>s"),wehave 

i^cor + i^crr = U' <» Ifi' <^ {Pz + Px)/2. (11) 

Eq. ([7]) shows that the largest eigenvalue of Pz + Px is 
1 + 2-'-*-'«, and we have 



<^m>(l-2-'^-'«)/2>l/4 



(12) 



ii) Odd-even, ua = 21a + 1 > 1 and hb = 21b > 2. 
According to Eq. ^, there exists a unitary V satisfying 



V\a^;^^^)A\b^w' 



,("a) 



)B = \a\;^^')A\ib + amod2y^-')B{l3) 



("i3)\ 



for W — X, Z. The operation of V is regarded as a 
basis-independent controUed-NOT gate, which is possible 
because the target system B is not a qubit but has a 
larger dimension. Since Eve is allowed to prepare any 
state, it makes no difference if we assume that she applies 
V just before she sends systems A and B to Alice and 
Bob. Then the relevant observables take simple forms as 
follows: 



V^F,,,V ^ \A'®{Pl + Pk)l2, 
V^F,,,V = \a'®{Pz + Px)I2: 

where Pt = P{\c^w^)A"\b^w^^)B). This leads to 



w 



> g(5.,n) for 5„, < 1/3, 



(14) 
(15) 



(16) 



where g{S) = [{1 - S)/2] - y^5{l -25). The boundary is 
achievable with ua — 1 and ub = 2. Of course, the case 
with UA = 21a > 2 and ub = 21b + 1 > 1 follows the 
same condition. 

Incidentally, the existence of the operation V leads to 
an interesting attack by Eve with ua = 1 and ub = 2. 
Suppose that Eve prepares a maximally entangled state 
\(l)^) AE and a pure state |x)b, and then applies unitary 
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FIG. 2: The observed fractions (5, e) of double clicks and of 
bit errors are a mixture of the multi-photon contribution (the 
shaded region) and the single photon contribution (5 = 0). 



V before she distributes the photons to Alice and Bob. 
As is seen from Eqs. (ITi|) and ([TS]), {5,m Cm) is determined 
solely by the state |x)b, and hence Eve can realize any 
point on the boundary em = g{6m) by choosing \x)b to 

be Y.w'^\^w) + P\^w)- On the other hand, Eq. ^ 
shows that Alice's outcome can be regarded as obtained 
from the direct measurement on | </'"'" )ab. Hence after the 
basis is announced. Eve precisely learns Alice's bit. This 
particular attack constitutes a lower bound tiow on t[5, e) 
to have a secure key: 



Tlo 



,{5, e) = max 



i-5+{l-i)H 



S,9{5/0 \ 



1-e J 



ill) 



iii) Even-even, ua — 21a ^ 2 and ub — 21b ^ 2. 
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and define the projection P, 



^(nB)\ 



bi,)AB ^ 2-v2[|o(^-^)^|o^-Os±iiroAiirosj 



|("a)\ 



|("b)\ 



'± - \A± 



'^^ = \4>^){c^^\. Further 

iet|V'^)AB^2-v2[|o(;^-))^|i(;^-))5±|i(;^-))^lol;)-)}5] 

and define P^ accordingly. We see from Eq. ([5]) that the 
state with the minus sign (such as \'>Px) ab) is orthogonal 
to any of the other seven states. Hence we can write 



Pen- = 2-^[{Pt+ 



Fr, 



JtlJ+ 



pr)®iP: 



©0],(18) 
2-1 [(^1+ + Px'^) © ® {Pt + Pt)]- (19) 



t+Pp 

4>- 
z 



This leads to the same condition as Eq. ([Tc 

Since the general attack is a mixture of attacks to 
various {nA,nB), we conclude that {Sm,£m) must be in 
the shaded region of Fig. 2, obtained by taking convex 
combination of Eqs. (fT2|) and (fTH]) . t(5, e) is then deter- 
mined as the maximum of the right-hand side of Eq. (j4]) 
under the constraints Eqs. ([T|) and Q. The optimiza- 
tion is reduced to a standard problem of determining the 
convex huU of the points (0,ei,ff(ei)) (0 < ei < 1/2), 
{dm,g{dm),l- 6m) {0 < Sm < 1/3), and (1/4,0,3/4). 
We classify the results into the three different regions 
(a)-(c) shown in Fig. 2. Let ej = 0.080 be the root of 
16el{l - el)^ ^ 1. 
(a) For e< 6^(1-45), 



t{6, e) = 3(5 + (1 - 4^)i7(e/(l - 46)). 
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FIG. 3: Dependence of key fraction -Rkcy on the double-click 
fraction 5. Solid curves are proved to be secure in the dis- 
carding protocol. Dash-dotted curves are the upper bounds 
for the discarding protocol. Broken curves are the key frac- 
tion conjectured to be secure in the random-bit-assignment 
protocol. 



(b) Forel{l~A6) < e < min{(l -6(5)et + ((5/2), l/4-(5}, 



t{S, e) = [ci6 + C2€ + C3]/(l - 4e*) 



(21) 



with constants ci = 3 - 4i/(e5;) + 4e*, C2 = 4(1 - H{el)), 

and C3 = H{el) - Ael 

(c) For (1 - 66)el + ((5/2) < e < g{S), 



T{S,e) = now{S,e). 



(22) 



Figure 3 (solid curves) shows the key fraction i?kcy in 
Eq. ^ assuming the ideal error correction (/ = 1). We 
see that the key fraction has almost linear dependence 
on the double-click fraction S. The dash-dotted curves 
are the key fractions assuming t((5, e) = tiow(^, e), which 
is the upper bound on the key fraction for any protocol 
in which the privacy amplification for the single-photon 
events costs -ff(ei). The difference is not so large, indi- 
cating that the pessimistic condition Q we used for sim- 
plifying argument does not sacrifice the efficiency much. 

For comparison, we have added to Fig. 3 the broken 
curves -Rkey = 1 — 2H{e + 6/2), which is the key fraction 
conjectured to be secure in the protocol with random-bit 
assignment for the double-click events. For lower val- 
ues of e, we see that discarding the double-click events is 
better than assigning a random bit and raising the error 
rate as a result. When e is larger, both curves are al- 
most the same. Hence for almost all practical purposes, 
the random-bit assignment is unnecessary. On the other 
hand, from the theoretical point of view, it is interesting 
to notice that the conjectured curve for high e slightly ex- 
ceeds even the upper bound on the discarding protocol. 
This may suggest that keeping Eve uninformed about the 
occurrence of double clicks could have an advantage even 
at the cost of raising the error rate by the random-bit 
assignment. For definite answers, we must wait for the 
development of the security analysis for the random-bit- 
assignment protocol 17[. 



To conclude, we have proved the unconditional security 
of an entanglement-sharing QKD protocol (the BBM92 
protocol) with the use of practical detection apparatuses 
and with no assumption on the source, which establishes 
the prominent feature of the protocol — the built-in 
mechanism for detecting defects in the source. We chose 
to discard the double-click events, which enabled us to 
build up the proof from a very simple nonorthogonality 
relation [Eq. ([5])] that holds regardless of the mode struc- 
ture of incident photons. The proved secure key rate is 
higher than or almost the same as the rate conjectured 
for the random-bit-assignment protocol, and hence prac- 
tical benefits of the BBM92 protocol discussed by Ma et 



11[ are now confirmed with unconditional security. 



The security proof is also applicable to a long-distance 
QKD using quantum repeaters [l9|. 

The authors thank K. Azuma for helpful discussions. 
This work was supported by MEXT Grant-in-Aid for 
Young Scientists (B) 17740265. 



[4; 

[5] 
[6] 

[7 

[s; 

[9; 

[lo; 

[11 

[12 



[is; 

[14 

[is; 



[16; 

[ir 



[is; 

[19 



A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 

C. H. Bennett, G. Brassard, and N. D. Mermin, Phys. 

Rev. Lett. 68, 557 (1992). 

C. H. Bennett and G. Brassard, in Proceeding of the IEEE 

International Conference on Computers, Systems, and 

Signal Processing, Bangalore, India (IEEE, New York, 

1984), pp. 175-179. 

P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 

(2000). 

C. H. Bennett, Phys. Rev. Lett 68, 3121 (1992). 

K. Tamaki, M. Koashi, and N. Imoto, Phys. Rev. Lett. 

90, 167904 (2003). 

M. Koashi, Phys. Rev. Lett. 93, 120501 (2004). 

G. Brassard, N. Liitkenhaus, T. Mor, and B. C. Sanders, 

Phys. Rev. Lett. 85, 1330 (2000). 

M. Koashi and J. Preskill, Phys. Rev. Lett. 90, 057902 

(2003). 

D. Gottesman, H. K. Lo, N. Liitkenhaus, and J. Preskill, 
Quant. Inf. Comput. 5, 325 (2004). 

X. Ma, C.-H. F. Fung, and H.-K. Lo, Phys. Rev. A 76, 

012307 (2007). 

T. Jennewein et at, Phys. Rev. Lett. 84, 4729 (2000); 

D. S. Naik et at, ibid., 4733 (2000); W. Tittel et al, 

ibid., 4737 (2000). 

A. Poppe et al. Opt. Express 12, 3865 (2004). 

R. Ursin et al, Nature Physics 3, 481 (2007). 

S. Sauge et al. Opt. Express 15, 6926 (2007); H. Hubel 

et al, ibid., 7853 (2007); T. Honjo et al, ibid., 13957 

(2007). 

J.-C. Boileau et al, Phys. Rev. Lett. 94, 040503 (2005). 

At the time of writing, an interesting approach \1^ came 

to our notice, in which a weaker version of the squashing 

property is proved, and is claimed to be enough to prove 

the security for single-mode inputs. 

T. Tsurumaru and K. Tamaki, arXiv:0803.4226vl. 

H.-J. Briegel, W. Diir, J. I. Cirac, and P. ZoUer, 

Phys. Rev. Lett. 81, 5932 (1998). 



